Based on the comments in my last post on DAM, especially the one from Mike Spiers, I want to make it clear that if you are performing Database Activity Monitoring it should be owned and managed by security.
It’s fine for DBAs to manage regular database auditing (unless they’re the auditing target), but DAM is a security-specific tool whose primary benefits are to create separation of duties (from the DBAs) and to give security insight into the database.
You might need DBAs to get it integrated with the database and confirm performance, but that’s where their involvement stops.
Reader interactions
6 Replies to “Follow Up: DBAs Should *Not* Own Database Activity Monitoring”
[…] further… it’s not just DBAs (and I’m not going to get into the whole issue of who owns database activity monitoring…) but companies in general are too reactive when it comes to database […]
Thanks rmogull. It is interesting to us to understand who is buying or how the market will move into DAM.
We are a company that has special technology to do DAM (in this moment with MsSQL Server and Oracle).
We are experiencing some delays addressing the Argentinean and the Chilean market.
Do you know where is that technology HOT? I mean, which markets do you think we have to focus in to succeed the next year?
Thanks!!!
@Leandro- there is a variety of companies using it. The two biggest groups are public companies using it to help with SOX compliance, and retail using it to help with internal security and PCI compliance.
They use them to reduce the cost of compliance and to improve their database security.
Hi Rich,
Thanks for the elaborate post and the follow up… I’‘ve just come back from a week in Europe where neither DBAs nor CISOs own database security just like their American counterparts 😉
Another way of looking at the problem (and the solution) is that security pros are in charge of creating policy and enforcing it. DBAs are not, but in order to translate policies into procedures, rules and choices that are relevant and applicable to the database, they must be involved.
I’‘m glad you took a prescriptive, actionable approach to the present situation, because I think that’s where a lot of companies are stumped. They know there’s a problem, but they’‘re not sure how to approach it. They’‘re looking for best practices. The fact that you needed to point out 6 areas of responsibility underscores the complexity of the current situation, but I don’‘t see a better or simpler short-term approach.
Rani
Hi, do you know what kind of companies are using DAM tools?
And why those companies are using the DAM tools?
Thanks
This is a perfect example why security should never be totally “integrated” into another group’s functions, like development, operations, and so on. Without a separate security group there’s no way to perform separation of duties. Good point RM.